From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81FD6296BCB for ; Tue, 14 Apr 2026 01:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128463; cv=none; b=BYiQLpTAtBzroHX/YhBOrGG0Tc/BFxZ92mDUYHBl6jWWIYLt2WxRA/GCNcsBJXC423z/K6ou8g5362o1eG3YC3pLu5tJjzZfWYj7QnnOt55i7ZgG/rhvx0zfL9eizMsN0MQSJMMwTpuTbxoCGX2llbK9sYosguBNDttnfl6CR9w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128463; c=relaxed/simple; bh=MgxPj4jbaCxLE5wuCvLBNE8qYKkQXxzozDehyHqvTog=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PsRGJVlDJYrhMjrQ/S2WeIWfSlicPDqIwZNaD3RtysUtYwWLM+vn0Cqj+RzWstgxKoSzveiXerX/UPYa3Gp6uzq46wiaUQXqgOcFRPnmZQ5AuIa2aTfGyoLCqDiSR1YXEYWTgwqgt+n/0xtlXCpuy5euRALZOzHkkDCy9BXp08Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com; spf=pass smtp.mailfrom=adrianwowk.com; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b=f0RtSb1N; arc=none smtp.client-ip=209.85.210.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b="f0RtSb1N" Received: by mail-ot1-f53.google.com with SMTP id 46e09a7af769-7dbccb6ae20so2594332a34.3 for ; Mon, 13 Apr 2026 18:01:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adrianwowk.com; s=google; t=1776128460; x=1776733260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BiJj2U0dcApG4g4r33MMQF3Km4Fw6Tmwa9t2KLhofNk=; b=f0RtSb1N0L9+22g91GKBsSIzbYo48+SosaRqOc+6iCPMUEaKba1SYQQLLBjljFt5pT Pmgb+MLSgvPl+Sj6lL/8xtu7Oe0B9ceKAGfKGQRb9Cg4JzgmCbcgPoHih94b6HCVQUd0 JokmvBTI4d1/+YI9hqoiA11zppaQHK3yzUSJ8DWlROHWBmQl87oX/MZ5WD7r4L+HWAaM cjN+uYZLXjyGdYUgCfqqvnmkH+sHmw2voDSsEq+fveU4k01sDroICI5irE4lCx4DGGBT +PXtkkSARTvmoJHe7RnaK7eDH7CK9BYbUD2rJ505dEKEZxQJSTP4+CyJ+jLGNs31DVZD 6GfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776128460; x=1776733260; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BiJj2U0dcApG4g4r33MMQF3Km4Fw6Tmwa9t2KLhofNk=; b=JFcay9Kh61nA7tJZly526CByyUN5djzEL9bHT9fG9TMlx0PvqI6Y/eW7fDpRvzpRfn RK+5ucNXa7gPeeXvNHcXvTATg4vnaS737KKicUZ1vKT5Vs3sstEbxLzb/V/K5rDY9sNr 2ckOD7IuW3IUkS774kG2O+Q2SNYAvyDInzY9hW4Hi9TG/pg2/zqHcUvVss5BelI3pMQc Jzw17J0abH/mGVs0XCyChHqzT1WoSVjk2nvUwmPgmHAH++xKA6iMlgv82mQOs2SiqD5M AJUvRi6MUMNH/uk4h3kTLpwwreb33BTNeRXYSK6DFAedzk7o8XjIuGhA/iMc5Rstg/NA EFew== X-Forwarded-Encrypted: i=1; AFNElJ8I3EW90KvzgzUoKoBhUwM46d9v8ZhvYQTdah95V+ZKF7m6UErGzQeIxnL41BGdflu9U4zebVeZdaLhWAY=@vger.kernel.org X-Gm-Message-State: AOJu0Yydk2shNl7UsbjeR06s2Sf531sT4ykzt/Na24CVd9KdldHYsWKo 6TWSTlSdAD1kCzKTwO3kpsVp81WsPbbz2oUEcoALwHhLj5fUDUmtfNgmdkNIev83Hbs= X-Gm-Gg: AeBDiet3YCRCaY67jvrReu3/lREOMUlKjUnXC6PsQ/RAQF+J4zbJM4UtngF6MOlafmM DIEJLSeDVWpTEllo84Dd65egkThUBrTGppG7LrQgioImcQPtBP0CeLW5Hwwigln+tglVrK1XPDF ci9emcM4L0X3mPBJaYr/3DVY67odi5plszWLT6Nd16va73YKEKEDd0Xl9QgO4BxpUKaxRthR2nR 0lumJ6YpqUoYuJQNT1uos6zt0lThJrto8qq0EqHJq6WW3Krz9K4ui/0ykV1ICmFYjLA7ZTkyDTZ IBhKbBStdsX8iZK2xE5rRfHuu6h4ScN8sNrSvxhqbU6gkPRkzUkcursAYManjnzYe/PrG70+qlJ XywFQV3aJ8jtQCdpnoSxQKEcLJVRhXYURlnK2FFKMiyaA5pNhXrLcADpZupmkEgC9ipoYKCAsCm iZQ6QVhUEgQPaDT2M4Upa+AQZHSkbFb/eW4hRelWCBSw== X-Received: by 2002:a05:6830:67cf:b0:7d9:ad90:573c with SMTP id 46e09a7af769-7dc27ed0496mr8826936a34.17.1776128460417; Mon, 13 Apr 2026 18:01:00 -0700 (PDT) Received: from linux-dev ([12.26.11.218]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dc269d3255sm9964556a34.25.2026.04.13.18.00.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 18:00:59 -0700 (PDT) From: Adrian Wowk To: valentina.manea.m@gmail.com, shuah@kernel.org Cc: i@zenithal.me, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Adrian Wowk Subject: [PATCH 1/2] usbip: vhci_hcd: fix NULL deref in status_show_vhci Date: Mon, 13 Apr 2026 20:00:49 -0500 Message-ID: <20260414010050.158064-2-dev@adrianwowk.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260414010050.158064-1-dev@adrianwowk.com> References: <20260414010050.158064-1-dev@adrianwowk.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit platform_get_drvdata() can return NULL if a VHCI host controller's probe failed (e.g. due to USB bus number exhaustion). status_show_vhci() checked for a NULL pdev but not for a NULL hcd returned by platform_get_drvdata(). Passing NULL to hcd_to_vhci_hcd() does not return NULL - it returns a pointer offset of 0x260, causing a NULL pointer dereference when that value is subsequently dereferenced. Add a NULL check on hcd before calling hcd_to_vhci_hcd(). Move status_show_not_ready() above status_show_vhci() to make it callable from the new error path without a forward declaration. Signed-off-by: Adrian Wowk --- drivers/usb/usbip/vhci_sysfs.c | 52 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index d5865460e82..336fb4d92c6 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -59,6 +59,29 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd *out += sprintf(*out, "\n"); } +static ssize_t status_show_not_ready(int pdev_nr, char *out) +{ + char *s = out; + int i = 0; + + for (i = 0; i < VHCI_HC_PORTS; i++) { + out += sprintf(out, "hs %04u %03u ", + (pdev_nr * VHCI_PORTS) + i, + VDEV_ST_NOTASSIGNED); + out += sprintf(out, "000 00000000 0000000000000000 0-0"); + out += sprintf(out, "\n"); + } + + for (i = 0; i < VHCI_HC_PORTS; i++) { + out += sprintf(out, "ss %04u %03u ", + (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i, + VDEV_ST_NOTASSIGNED); + out += sprintf(out, "000 00000000 0000000000000000 0-0"); + out += sprintf(out, "\n"); + } + return out - s; +} + /* Sysfs entry to show port status */ static ssize_t status_show_vhci(int pdev_nr, char *out) { @@ -76,6 +99,12 @@ static ssize_t status_show_vhci(int pdev_nr, char *out) } hcd = platform_get_drvdata(pdev); + + if (!hcd) { + usbip_dbg_vhci_sysfs("show status error (hcd is NULL)\n"); + return status_show_not_ready(pdev_nr, out); + } + vhci_hcd = hcd_to_vhci_hcd(hcd); vhci = vhci_hcd->vhci; @@ -104,29 +133,6 @@ static ssize_t status_show_vhci(int pdev_nr, char *out) return out - s; } -static ssize_t status_show_not_ready(int pdev_nr, char *out) -{ - char *s = out; - int i = 0; - - for (i = 0; i < VHCI_HC_PORTS; i++) { - out += sprintf(out, "hs %04u %03u ", - (pdev_nr * VHCI_PORTS) + i, - VDEV_ST_NOTASSIGNED); - out += sprintf(out, "000 00000000 0000000000000000 0-0"); - out += sprintf(out, "\n"); - } - - for (i = 0; i < VHCI_HC_PORTS; i++) { - out += sprintf(out, "ss %04u %03u ", - (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i, - VDEV_ST_NOTASSIGNED); - out += sprintf(out, "000 00000000 0000000000000000 0-0"); - out += sprintf(out, "\n"); - } - return out - s; -} - static int status_name_to_id(const char *name) { char *c; -- 2.53.0